Task 6.3 ZBFW alternative

I tested this with ICMP and it worked fine aswell

access-list 125 permit tcp any host 192.1.10.100 eq smtp
access-list 125 permit tcp host 192.1.10.100 eq smtp any
!
class-map type inspect match-all SMTP-INSPECT
match protocol smtp
match access-group 125
!
policy-map type inspect BB2BB3
class type inspect SMTP-INSPECT
  inspect
class class-default
  drop
!
zone-pair security BB2BB3 source BB2 destination BB3
service-policy inspect BB2BB3
zone-pair security BB3BB2 source BB3 destination BB2
service-policy inspect BB2BB3
!
interface FastEthernet0/1.52
zone-member security BB2
!
interface FastEthernet0/1.53
zone-member security BB3

Comments

  • Yes this ZBFW will work fine.  I did include a third Zone i.e. all the other interfaces on R5 as Internal and allowed everything from this to the others and vise-versa.  Did you check traffic from the internal network to the BBs?

    My real issue was with the wording of 6.2 with 6.3 as one access-list is required to match on the server and that seems to break 6.2's request to have no access-lists?

    Oh, and to use ZBFW is seriously longer and more complex than a single service-policy.

Sign In or Register to comment.